Cyber Briefing: 2025.11.21

Cyber threats surge with new APT tools, botnets, Android trojans, major corporate breaches, router hijacks, SEC case closure, piracy takedown, and crypto arrests.

Nov 21, 2025

👉 What’s the latest in the cyber world today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. APT24 Uses BADAUDIO in Taiwan Spying

The China-linked threat actor APT24 has been utilizing new, sophisticated tactics and an undocumented backdoor called BADAUDIO since November 2022 to establish persistent remote access, primarily targeting organizations in Taiwan.

2. Tsundere Botnet Grows via Game Lures

A new and actively expanding Tsundere botnet is targeting Windows users since mid-2025, designed to execute arbitrary JavaScript code. This resilient threat leverages the Ethereum blockchain for C2 communication, is likely spread via game-related lures, and has connections to Russian-speaking threat actors operating the 123 Stealer malware.

3.Sturnus Trojan Steals Android Chats

Sturnus is a sophisticated new Android banking trojan capable of credential theft and full device takeover for financial fraud, notably bypassing encrypted messaging by capturing decrypted content directly from the screen. This malware, currently in the evaluation stage and privately operated, is highly protected against removal and uses a mixed communication protocol, targeting financial institutions across Southern and Central Europe with region-specific overlays.

For more alerts, click here!

Subscribe Now

💥 Cyber Incidents

4. Almaviva Leak Exposes FS Group Data

A recent cyber attack targeting Almaviva resulted in the theft of approximately $2.3$ terabytes of confidential corporate data, including sensitive information from the Ferrovie dello Stato Group, which was subsequently published on a TOR network forum. Despite the data breach, Almaviva confirmed that critical services and system functionalities remained fully operational and active due to established business continuity measures, while they activated safety and law enforcement procedures and informed relevant authorities.

5. Salesforce Breach Hits Over 200 Victims

Salesforce has announced another third-party security incident, likely attributed to the ShinyHunters hacking group, where unauthorized activity concerning Gainsight-published applications may have compromised data for hundreds of its customers. The breach seems to stem from the app’s external connection to Salesforce, prompting the company to revoke related access tokens and temporarily remove the applications from the AppExchange.

6. Over 50000 Asus Routers Compromised

A Chinese state-sponsored threat actor, dubbed Operation WrtHug, has hijacked tens of thousands of discontinued Asus routers globally by exploiting known vulnerabilities in the AiCloud service to create a persistent network for espionage. The compromised devices, identified by SecurityScorecard, are primarily concentrated in Taiwan but also have significant clusters across the US, Russia, Southeast Asia, and Europe, establishing a vast Operational Relay Box (ORB) network.

For more incidents click here!

Read Report

📢 Cyber News

7. SEC Ends SolarWinds Case After Years

The U.S. Securities and Exchange Commission (SEC) has dropped its 2023 lawsuit against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, concerning the 2020 supply chain attack, following a joint motion for voluntary dismissal filed on November 20, 2025. This decision, which the SEC stated doesn’t necessarily reflect its stance on other cases, comes after a U.S. District Court in July 2024 had already dismissed many of the agency’s initial allegations that the company had misled investors about its security practices.

8. TV Piracy Service With 26M Visits Closed

Photocall, a massive TV piracy streaming platform with over 26 million annual users, has been shut down following a collaborative anti-piracy investigation led by the Alliance for Creativity and Entertainment (ACE) and DAZN. The service, which provided unauthorized access to 1,127 channels from 60 countries, including major live sports like Formula 1, MotoGP, Serie A, and NFL, agreed to cease operations and transfer its domains to ACE after being approached by the organizations.

9. Crypto Mixer Founders Jailed for Laundering

The founders of the Samourai Wallet cryptocurrency mixing service, CEO Keonne Rodriguez and CTO William Lonergan Hill, have been sentenced to prison for their role in laundering over $237 million for criminals. Rodriguez received a five-year sentence, and Hill received four years, following their August 2025 guilty pleas to operating the illegal money-transmitting business and agreeing to forfeit the laundered criminal proceeds.

For more news click here

Check Events

📈Cyber Stocks

On Friday, 21st November, cybersecurity stocks extended their decline as broader technology markets faced renewed selling pressure. Rising concerns around enterprise budget timing, volatility driven by macro uncertainty, and sentiment shifts following recent acquisition news weighed heavily on the sector. Despite strong long-term fundamentals for identity, cloud, and endpoint security, the group traded decisively lower as investors moved away from high-growth and security-platform names ahead of the weekend.

CrowdStrike closed at 501.31 dollars and moved sharply lower, reflecting sustained profit-taking and softness across growth-oriented cybersecurity stocks.
Palo Alto Networks closed at 185.07 dollars and recorded a significant drop, driven by investor reaction to recent acquisition activity and continued caution around near-term enterprise spending.
Zscaler closed at 279.73 dollars and declined further, as valuation pressure in cloud and zero-trust names intensified amid broader tech weakness.
Fortinet closed at 78.04 dollars and slipped again, with concerns about hardware refresh cycles and firewall demand continuing to weigh on sentiment.
Okta closed at 78.32 dollars and traded lower, signalling ongoing caution in the identity-security segment and limited short-term catalysts to counter wider market declines.

💡 Cyber Tip

📱 New Sturnus Android Trojan Steals Chats and Takes Device Control

A new Android banking trojan called Sturnus has been discovered with advanced capabilities for credential theft and full device takeover. It can capture decrypted messages from apps like WhatsApp, Telegram, and Signal directly from the screen, bypassing encryption entirely. The malware uses region-specific banking overlays, accessibility abuse, and remote control features to commit financial fraud across parts of Europe.

What You Should Do

Install apps only from trusted sources and avoid sideloading APKs.
Review your device settings for suspicious accessibility permissions.
Monitor for fake login screens or pop-ups that imitate banking apps.
Regularly check your banking activity for unauthorized transactions.
Use mobile antivirus tools that specialize in detecting overlay and accessibility abuse.

Why This Matters

Sturnus is highly sophisticated and capable of capturing everything displayed on the device, including encrypted chat content. Its remote control features allow attackers to perform actions in real time, making it a serious threat to mobile banking users and encrypted messaging privacy.